Add documentation about new pcli commands

penumbra-zone · May 7, 2024 · 7e360d9 · 7e360d9
1 parent d5b61cf
commit 7e360d9
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 3 deletions.
diff --git a/docs/guide/src/pcli/wallet.md b/docs/guide/src/pcli/wallet.md
@@ -8,9 +8,11 @@ custody backend used to store keys.
 There are currently three custody backends:
 
 1. The [`softkms` backend](./wallet/softkms.md) is a good default choice for low-security use cases.  It stores keys unencrypted in a local config file.
-2. The [threshold backend](./wallet/threshold.md) is a good choice for high-security use cases. It provides a shielded multisig, with key material sharded over multiple computers.
+2. The [`threshold` backend](./wallet/threshold.md) is a good choice for high-security use cases. It provides a shielded multisig, with key material sharded over multiple computers.
 3. The `view-only` backend has no custody at all and only has access to viewing keys.
 
+Furthermore, `softkms` and `threshold` allow encrypting the spend-key related material with a password.
+
 After running `pcli init` with one of the backends described above, `pcli` will be initialized.
 
 ## Shielded accounts
@@ -100,4 +102,4 @@ definition updates or governance votes, this is possible:
 - To sign a validator vote over an airgap, produce a signature on the airgapped machine or machines
   using `pcli validator vote sign`, then upload the vote on a networked machine, after copying the
   signature across the airgap, using `pcli validator vote cast` with the optional `--signature` flag
-  to specify the externally-produced signature for the vote.
+  to specify the externally-produced signature for the vote.
diff --git a/docs/guide/src/pcli/wallet/softkms.md b/docs/guide/src/pcli/wallet/softkms.md
@@ -17,4 +17,18 @@ Alternatively, to import an existing wallet, try
 $ pcli init soft-kms import-phrase
 Enter seed phrase:
 Writing generated config to [PATH TO PCLI DATA]
-```
+```
+
+## Encryption
+
+A password can be used to generate an encrypted config via:
+```bash
+$ pcli init --encrypted soft-kms ...
+```
+with either the `generate`, or the `import-phrase` command.
+
+Furthermore, an existing config can be converted to an encrypted one with:
+```bash
+$ pcli init re-encrypt
+```
+
diff --git a/docs/guide/src/pcli/wallet/threshold.md b/docs/guide/src/pcli/wallet/threshold.md
@@ -81,3 +81,14 @@ the participants securely.
 An end-to-end example of how this process works is captured in this video:
 [https://twitter.com/penumbrazone/status/1732844637180862603](https://twitter.com/penumbrazone/status/1732844637180862603)
 
+## Encryption
+
+A password can be used to generate an encrypted config via:
+```bash
+$ pcli init --encrypted threshold dkg ...
+```
+
+Furthermore, an existing config can be converted to an encrypted one with:
+```bash
+$ pcli init re-encrypt
+```